I just had an argument with colleagues about the usefulness of Microsoft BitLocker drive encryption for keeping representatives of the state (FBI etc.) out of data. They were convinced that vendors of proprietary software have backdoors in their algorithms which can be used in severe cases, i.e. suspicion of terrorism etc.

The alternative is of course TrueCrypt, because in theory, the code is open and can be reviewed by the public. In practice, even though I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack. Does anyone know if the code has been reviewed by a trustworthy 3rd party? And if so, how is their trustworthyness established?

So, to come to the general questions:

How would a company which really, really wants to keep their files completely secret decide upon their cryptographic solution? They cannot be 100% sure that BitLocker is safe, can they? However, would they in practice be able to make sure that TrueCrypt is?

How would you estimate the chance that Microsoft and similar companies work with government agencies and give them an advantage to breaking their security so that it doesn't take 1000s of years to break (is that how long BitLocker should take)?

"I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.
–
Linker3000Feb 15 '11 at 12:01

3

Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.
–
Felix DombekFeb 15 '11 at 12:10

4 Answers
4

Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.

The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.

I am not saying it doesn't exist, but I find it highly unlikely.

There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!

I think the most likely way encryption like this will be broken is through pure brute force through super computer power.

I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.

First example I can give you is with QuickBooks. QuickBooks has backdoors that allow you to get into a quickbooks database if you were to forget the password. QuickBooks is also proprietary.

Open Source guarantees that you know what is behind the scenes. They (meaning Quickbooks) could lie and not tell you they have this functionality and use it for themselves. Or they can tell you they have the functionality and when they are subpenaed use it against you.

In my honest opinion trusting a closed source proprietary encryption software is a bad deal; you have to trust what you are using, and then you have to trust it even more if you dont even know how it works or if the people endorsing it works are the people getting paid to.

Not only that there are established algorithms for encryption; proprietary closed source doesn't guarantee they are using the most recent stable versions of the encryption algorithms. Obviously if they say they are using AES 256 bit encryption; what is the point if there is a backdoor? There isn't one. You may as well just give the password protected database to software cracker and let them figure it out.